The National Cyber Security Centre Finland’s weekly review – 04/2024

Topics covered in this week’s review

• Email accounts being hijacked again with secure email scams
• Bank scam messages now trying to scare people with data breaches
• Speeding ticket scams under the name of the police
• Taxpayers plagued by MyTax scams
• EU regulation of companies garnered interest at the ‘Kyberala murroksessa’ seminar
• Vulnerabilities

Email accounts being hijacked again with secure email scams

The NCSC-FI has received numerous reports of secure email phishing messages. The spoofed secure email messages contain links that lead to a phishing site asking for your username and password. The scam messages are currently spreading between organisations in the education and municipal sectors. If you make the mistake of clicking the link in the scam message and entering your email username and password on the website that opens up, your email account will be hijacked by criminals, who will use it for fraud and to send out more phishing messages.

The hijacked accounts are used to send out thousands of new account phishing messages and for invoice fraud attempts, for example. 

The NCSC-FI urges all organisations using Microsoft 365 services to provide their employees with information about the threats posed by phishing messages. We also recommend using two-factor authentication and restricting the creation of email forwarding rules. One effective way of protecting against phishing campaigns is to make two-factor authentication mandatory for your organisation’s users. Leaving the use of two-factor authentication up to the user does not provide the same level of protection. 

Bank scam messages now trying to scare people with data breaches 

“Hyvä asiakas, Joudumme ilmoittaa sinulle, että 19 tammikuuta 2024 tapahtui tietovuoto” (“Dear customer, We regret to inform you that there was a data leak on 19 January 2024”), starts the scam message written by criminals, who are now trying to scare victims with data breaches and data leaks that have allegedly compromised the victim’s information and powers of attorney. At the end of the message, the victim is urged to “Toimi nyt” (“Act now”), meaning click on a link that leads to a fake website spoofed to look like the strong identification login page of a real bank. The criminals are hoping that the victim will enter their login information on the fake page, thus handing their information over to the criminals, who can then proceed to empty the victim’s bank account.

These messages are, of course, just another scam, albeit one for which the scammers have come up with a new twist. The scam messages claim that the victim’s information was compromised because a third party gained access to a bank employee’s computer systems. This time, the scammers have drawn inspiration from a real incident: in December, there were news reports of a data breach in which a bank employee’s email account was broken into, as a result of which clients’ personal data may have been compromised. However, in the reported case, customers’ funds and powers of attorney remained safe, and all affected victims have since been contacted.

The scam messages have been sent out in the thousands from different email addresses, which have all referenced “OP Turvallisuus (“OP Security”) or similar word combinations in various ways. The “act now” links included in the messages lead to various URLs that have nothing to do with banks, so perceptive recipients will be able to tell that the messages are not genuine. However, if you are in a hurry and reading the message on the small screen of a mobile device, it may not be as easy to identify the messages as scams, which is why you should follow this basic rule: never trust a link included in a message and, more importantly, never access an online bank service via a link.

Speeding ticket scams under the name of the police

Several people have been receiving text messages from scammers impersonating the police, claiming that the victim has an unpaid speeding ticket. The scam message includes a link that the victim is urged to click in order to pay the alleged speeding ticket and avoid late fees.

The messages are a scam. The police do not impose fines or traffic penalty fees via text message or email. Any traffic penalty fees imposed by the police are sent to the suomi.fi service or by post to the person’s home address.

The link included in the scam message has been disguised to look like a police URL, but in reality it leads to an entirely different website managed by criminals. The victim is urged to enter their bank credentials on the phishing site maintained by the criminals.

If you suspect that you have entered your bank credentials on a scam website, you should immediately contact your bank. After that, you can also file a police report.

Taxpayers plagued by MyTax scams

The upcoming tax return season has prompted scammers to start actively phishing for bank credentials once again by sending out text messages under the name of the Finnish Tax Administration. The NCSC-FI has received numerous reports of such scam text messages and emails that include links leading to a phishing website. The scam messages include claims such as “olet maksanut liikaa veroa” (“you have paid too much tax”) and “sinulla on lukematon viesti veronpalautuksestasi” (“you have an unread message about your tax return”). The aim is to get the victim to click on the included link, which leads to a page where the victim is asked to log in using their bank credentials.

You should only ever log in to MyTax directly via a browser bookmark or via the Finnish Tax Administration’s official website. The Finnish Tax Administration, authorities and banks will never send you messages asking you to click on an included link.

EU regulation of companies garnered interest at the ‘Kyberala murroksessa’ seminar

There are several new EU-level information security requirements set to be imposed soon on cyber security operators, device manufacturers, software developers and companies critical to the functioning of society, which will also affect technology companies and service providers.

NIS, CRA and RED are acronyms that pop up frequently in discussions about cyber security. But what are the regulations behind the acronyms actually about? What kinds of requirements and obligations will they impose on companies? How should you prepare for the new regulations?

These are just some of the questions that were explored at the seminar organised by the Finnish Transport and Communications Agency Traficom, the Finnish Information Security Cluster and Technology Industries of Finland in Helsinki on 23 January. The topic garnered a great deal of interest: the event was attended by nearly 100 people on-site in addition to over 1,000 people online.

A big thank you to all the speakers at the event and everyone who participated! We will be publishing a recording of the event as soon as possible on Traficom’s YouTube channel.

Vulnerabilities

CVE: CVE-2024-23222

What: Apple released critical updates for several of its products. The vulnerabilities are known to have already been exploited.

Product: Devices using Apple’s tvOS, Safari, MacOS and iOS operating systems

Fix: Update the device software to the latest version.

Further information (in Finnish): Apple released critical updates for several of its products, vulnerabilities known to have already been exploited